How do we get that token?

To obtain a token, you typically follow an authentication flow that depends on the security protocol in use. For OAuth 2.0, the most common flow for server‑to‑server communication is the Client Credentials flow. First, the client (your application) sends a POST request to the authorization server’s token endpoint, including its client ID, client secret, and the grant_type set to "client_credentials". The server validates the credentials and, if they are correct, returns an access token (often a JWT) and an optional refresh token. The client then stores the access token securely and attaches it to subsequent API requests in the Authorization header as a Bearer token: Authorization: Bearer <access_token>. If the token expires, the client can use the refresh token to obtain a new access token without re‑authenticating the user. In simpler setups, a static API key or a pre‑generated token may be used, but the principle remains the same: request a token from the auth service, receive it, and include it in API calls.